Categories
INTERNET SECURITY

Common Internet Security Terms to be Aware of

Reading Time: 15 minutes

We try to be as jargon free as possible, but in the world of internet security, technical terms cannot be avoided. We’ve therefore created this glossary where we explain common terms that you are likely to come across in the world of cyber security.

Ad injection

Ad injection is a black hat technique where ads are secretively inserted into a webpage without the website owner’s knowledge or permission. According to Google, over 50,00 browser extensions and more than 34,000 software applications engage in the practice. With ad injection, ads can be inserted on top of those that already appear, obscuring the original ads, replace ads entirely or get shown on pages that weren’t meant to show ads.

Anonymizer

An anonymizer is a collective term to describe a tool such as a VPN that you can use to make your activity on the Internet untraceable. An anonymizer accesses the Internet on your behalf, protecting your personal information by hiding your identifying information. It does this by masquerading your real Internet Protocol (IP) address and substituting it with another IP address, making it difficult to for hackers and other cybercriminals to target you online.

Furthermore, an anonymizer can be used to bypass censorship in countries where internet access is restricted, allowing access to online information. Note that when you use any type of anonymizer, your internet speed is going to be reduced because you are now going through at least one extra layer of security.

There are two types of anonymizers. The single point anonymizer passes your browsing through a single point such as a proxy server to protect your identity. The networked anonymizer such as a VPN transfers your communication through a network of computers.

Biometric Authentication

Biometric authentication involves the use of biometric data such as the face, fingerprint or voice as part of the two-factor authentication in order to get access to restricted accounts.

Bot

A bot is a type of application that has been programmed to perform a series of automated and repetitive tasks on behalf of humans on the internet. More than half of the internet’s traffic consists of bots performing one type of task or another, depending on what they have been programmed to do.

Types of bots

There are several types of bots on the internet which can be good or bad, depending on how they have been programmed. Here are examples of different types of bots.  

  • Search engine bots
  • Chatbots
  • Informational bots
  • Spambots
  • Transactional bots
  • Scrapers
  • Malware bots

Botnet

A botnet (also known as a zombie network) is a network of thousands of remote-controlled malware bots that the owner remotely manages using a server which functions as a control and command centre.

Cybercriminals use social engineering tactics to breach the security of users’ computers and turn these machines into malware bots that can be used as part of a botnet. Once infected, the devices can continue to act perfectly normal with no symptoms or warning signs.

Cookies

A cookies is a small text file that collects certain pieces of information about you when you visit a website. Every time you navigate to a website for the first time, cookies are created by your browser and saved to your computer. When you return to the website, the cookies will help it to remember certain things such as login details, information about the pages you visited and create customized web pages and ads tailored to your online preferences. The main objective with cookies is to increase the speed with which you visit that same website again.

Cookie syncing is a user identification and data collection process that is used to enhance the effectiveness of online advertising campaigns. It allows the entities that are tracking you online to share the information they have about you, and link together the IDs they’ve created to identify your device. They can compare notes and build a better profile of you, all of which is done without your knowledge or approval.

Canvass Fingerprinting

Canvas fingerprinting is a type of browser fingerprinting technique designed to uniquely identify and track visitors to a particular website without having to use browser cookies. When one of these scripts is running on a website you visit, it will instruct your browser to draw an invisible image behind the scenes. This action is completely invisible to you. Because every device will draw this image in a unique way, this process can be used to effectively create a fingerprint for your device. Your browsing can then be tracked using this fingerprint whenever you are online.

Daemon

Every web server has a daemon which is a program that is designed to wait specifically for HTTP requests and then handle them when they arrive. That’s it’s job. Now your web browser whether it’s Firefox or Google Chrome or Safari is an HTTP client, and they make requests to the web server on your behalf. So when you enter a particular site or click on the hyperlink of a web site, your browser builds an HTTP request and sends it to the IP address indicated by the URL that you’ve added to the browser. The daemon will receive your request and send back the requested file or files associated with your request.

Data harvesting

Data harvesting is the process of extracting data from specific websites with the use of malicious bots. For example, data can be collected from users of a particular app or social media site like Facebook or Twitter. That data is then analyzed and processed. The end result is a user profile which includes user details such as age, gender and location. Now, that profile of that individual can be used to determine things like what that individual would be likely to buy in the future, if they’re likely to take out a financial loan or the kind of causes are likely to support, the kinds of politicians they are likely to vote for, etc.

DDoS attack

A DDoS (Distributed Denial-of-Service) attack is a malicious attempt to render a website or online service inoperable by overwhelming the bandwidth of the targeted system. According to the Q2 2018 Threat Report, the number of distributed denial-of-service (DDoS) attacks increased in size by 500%.

DNS

DNS stands for Domain Name System, and it is responsible for translating domain names into IP addresses. So, if you wanted to go to www.dreamspath.com which has an IP address of 105.42.154.50, DNS would translate www.dreamspath.com into 105.42.154.50. Web servers and browsers don’t understand names; they only understand IP addresses. Without DNS, the alternative would be to memorize and type in an IP address whenever you want to navigate to a particular website. It is essentially the phonebook of the internet.

Now, the domain name system isn’t just one large central database that has a list of all of websites and corresponding IP addresses. It delegates the responsibility of assigning domain names and mapping those names to IP addresses by designating authoritative name servers for each domain. There are several DNS servers all over the world that can help you map IP addresses to domain names.

DNS Leak

A DNS leak refers to a vulnerability in a VPN through which the real identity of a user is revealed. DNS requests are revealed to ISP DNS servers, despite the use of a VPN service to attempt to conceal them. This flaw allows an ISP and other eavesdroppers to track websites a user may be visiting. Normally, the VPN automatically changes the ISP DNS to the anonymous VPN DNS. In a DNS leak, however, the browser’s DNS requests are sent to the ISP DNS server directly bypassing the VPN. You can perform standard tests at www.dnsleak.com or www.dnsleaktest.com.

Domain spoofing

Domain spoofing is when cybercriminals try to deceive users by faking the name of a legitimate website. The main objective of domain spoofing is to fool users into interacting with the malicious website as if it were the legitimate site. It is used to steal personal information such as login credentials or credit card info, or trick the visitor into downloading malware onto their computer.

Here are examples of how spammers may spoof the domain name in order to trick you into clickingon it.

  • https://fa-cebook.com -> “fa-cebook.com” is not the same as “facebook.com”
  • https://facebook.com.realwebsite.com — “realwebsite.com” is the main website. Note that “facebook.com” here, is a subdomain of “realwebsite.com”
  • https://facebook.co — “facebook.co” is not the same as “facebook.com”
  • https://www-facebook.com — “www-facebook.com” is not a subdomain of “facebook.com”. Note the hyphen in “www-facebook.com”. A genuine subdomain would be separated from the main website domain (SLD) by a period like in “www.facebook.com”.
  • https://faceboek.com — Note that the “o” in the domain name has been replaced with “e”.

Drive-by Download Attack

A drive-by download attack refers to the inadvertent download of malicious code to your PC or mobile device that exposes you to a cyberattack. This virus starts to infect your PC as soon as you navigate to a particular website. A drive-by download doesn’t rely on you to click on anything, press download, or open an email attachment to actively enable the attack. These downloads can be on any site, including safe, legitimate sites. This also includes downloads of bundled software onto a computing device that leaves you vulnerable to a cyber-attack.

Emergency Access

Some password managers provide the ability to grant one-time access to your Vault to one or more designated users. You can also specify an access delay. This means that the user you have designated tries to gain access to your information, that person would have to wait a specified time period of your choosing. During this period of time (e.g. two hours), you have the power to decline the requested access. If you do not deny the request within the specified time period, the emergency access user will be able to access your Vault.

Encryption

Encryption is the process of converting your data (such as a text message or email) into unreadable format so that its content cannot be understood even if it intercepted by hackers. When you need to send a confidential mail and you use a program that obscures the content of that email, that is an example of encryption.

GEO-BLOCKING

Geo-blocking refers to the process of limiting access to certain online services based on geographic location. These include streaming video services like Netflix, Hulu and BBC iPlayer, dating sites,  news sites, etc. For example, if you live in the UK, you won’t have access to Netflix’s full catalog of movies and TV shows that is avaiabe to US residents. Geo-blocking works by using your IP address to track your location. This means that if you are an American visiting the UK, you will only access content that is available in the UK.

HTTP

This stands for the Hypertext Transfer Protocol. It defines how messages are formatted and transmitted over the web. It also determines what actions web servers and browsers shall take in response to various commands. So HTTP basically is the mother of all protocols involving the World Wide Web. It’s basically behind how every single requests are handled between a web browser and web server.

HTTPS

This is Hypertext Transfer Protocol secure. It is the secure version of HTTP. It’s secure because communication between your web browser and the web server is encrypted. HTTPS is a must for Web sites with sensitive information like passwords and credit card details are exchanged. You should never provide your password on a site that doesn’t have HTTPS. Encryption is implemented on HTTPS through the use of TLS and SSL. Never ever provide your password or your credit card details on a site that doesn’t have HTTPS.

IP Address

IP address stands for internet protocol address. It is a uniquely identifying number that is allocated to a device (such as a computer or smartphone) that is connected to the internet. However, if you are connecting to the internet through a router, it is the IP address of your router that will be visible on the internet. Your router will dynamically assign a private IP address to the network card in your computer. This IP address will not be visible on the internet.

Your IP address is what identifies who you are and where you are browsing from on the internet, and allows you to send and receive information. Note that your IP address is publicly visible on the internet and you can find out yours by navigating to whatismyipaddress.com.

IP Leak

An IP leak occurs when your VPN leaks your real IP address to a website that you visit. When you’re using a VPN, no website should be able to see your real IP address. This can happen when your computer is unknowingly accessing default servers rather than the VPN provider’s servers.

Keylogger

Keyloggers are monitoring software used to record the keystrokes that are used on a smartphone or computer keyboard. They are one of the oldest types of online threats used by cybercriminals to steal confidential information such as passwords, credit card details and other personal data. Some sophisticated keyloggers – such as those that target mobile devices – are able to record information such as calls, information from messaging applications and GPS location.

Kill switch

Also known as VPN Kill Switch, Internet Kill Switch or Network Lock, a kill switch is a special VPN security feature that is triggered when the VPN connection suddenly drops. The VPN automatically disconnectsyour device from the Internet until the VPN connection is restored. This means it blocks traffic leaving your device if your connection is ever compromised. With a kill switch, there’s no possibility that your IP address accidentally gets exposed.

Latency

Latency refers to the amount of time between a user action and the result of that action. For example, the delay between a user clicking an image and the user’s browser showing that image. If you click a link and it takes several seconds before the image appears, you are experiencing significant latency.

Mac Address

A Mac address (media access control address) is a unique identifier that is assigned to a network interface controller (NIC) for use as a network address in communications within a local area network (LAN). Unlike an IP address that can be changed every time you connect to the internet, a MAC address is a hardware address that is embedded into the device and can never be changed.

Malicious Hotspots

This is a rogue network that fools users into thinking they are connecting to a legitimate network. Hotels are often the prime target for malicious hotspots. For example say you’re staying at The GoodNight Inn and you want to connect to the hotel’s WI-FI. When you browse the network, you may find GoodNight Inn which you might think is the hotel’s Wi-Fi, but isn’t. If you connect to that network, you’ve just connected to a rogue network that can now browse your sensitive information.

Malware Distribution

Short for malicious software, malware is a computer program that is designed to infiltrate and cause damage to computers or websites. Malware covers all types of threats to your computer including spyware, viruses, worms, Trojans and so on.  

Malvertising

This type of phishing utilizes digital ad software to publish otherwise normal looking ads with malicious code implanted within.

Man-In-The-Middle Attacks (MitM)

This attack is a form of eavesdropping. When you connect to different websites on the internet, vulnerabilities can allow an attacker to get in between these transmissions and read the content of those transmissions. These attacks are often carried out by establishing fake public Wi-Fi networks at various public locations such as coffee shops and shopping malls.

Master Password

The master password is the only password you are required to create when using a password manager. It is the key to unlock access to all of your stored credentials, including your passwords.

Multi-layer security

Multi-layer security is all about having multiple safeguards in place and using them in conjunction with one another so that if one fails, you’ve still got others to protect you. For example, instead of using just passwords as your only layer of security, you should have additional layers like two factor authentication, encryption and private networks. This ensures that even if your password is breached by a cybercriminal, they won’t be able to access your account because you have two factor authentication as an additional layer of security.  

Multi-Factor Authentication

Multi-factor authentication is a method of access control where a service grants you access only after you present multiple pieces of evidence that you are who you claim to be. This evidence comes in three forms: something you know (such as your password), something you have (such as your phone) and something inherent, which include biometric methods such as fingerprint readers, retinal scanners and facial recognition systems.

No Logs Policy

A no logs policy is about protecting your private information from everyone. It means that no information is saved about your personal details, the websites you visit or what you search for. So in the event of any unforeseen circumstance such as data breach, server hack or government investigation, nothing can be held against you because no information was recorded about you in the first place. This policy is used to safeguard your privacy and anonymity so that you can feel safe in the knowledge that what you do online is protected from everybody.

Every VPN claims to deliver anonymity and privacy with a no logs policy. However, the reality is that some VPN vendors might be unable to deliver 100% privacy, and this doesn’t have anything to do with the service provider’s technology. If the VPN provider has its headquarters in a country that’s part of the 5/9/14 Eyes Alliance, a VPN service provider can be forced to log user data and to provide logs by request of the authorities. This means you could be at risk of being exposed to the government. If online privacy is a top priority, you’ll be better off choosing a VPN provider that is not located in a country that is a member of the 14-eyes alliance

Protocols (for VPNs)

A Virtual Private Network (VPN) protocol is a set of rules that govern how data is transmitted between your computing device and a VPN server. Consider a protocol as a kind of language that multiple devices have to understand in order to be able to communicate with each other. With VPN protocols, the VPN software that you install on your device has to use the same protocol on the VPN server in order for your computer to be able to use the VPN service.

One Time Passwords

One time password is a password that is valid for only one login session. This password makes it impossible for hackers to get into your account even if your login credentials are compromised. You can also use one time passwords as part of the two factor authentication process

Password Generator

A password generator is a tool that randomly generates unique and complex passwords. When using a password generator, you have the option of specifying how long it should be or whether it can include combinations of numbers, uppercase and lowercase letters, and special characters. Some password generators are capable of creating very long passwords that can be understood and memorized.

Payload

A payload when used in the context of a computer virus or worm refers to that component of the virus that implements malicious activities. A virus or worm that has a destructive payload will be relatively more dangerous than one with a much more benign payload.

Perfect Forward Secrecy

A component of an encryption system that keeps data safe by automatically and frequently changing the key used to encrypt and decrypt information on every login and at least each hour thereafter. This means that even if one session is compromised, only a small portion of the user’s sensitive data is exposed. Keys are switched every time a user loads or reloads an encrypted web page, or every time a text message is sent. Without perfect forward secrecy, when a user logs in to a VPN for example, the entire session is encrypted based on the client’s key. But if that session is hacked, the entire conversation is compromised.

Proxy Server

A proxy server is a type of anonymizer that functions as an intermediary for requests made by clients seeking resources from web servers. The proxy sits between you and the web server that you’re trying to access. Internet traffic flows through the proxy server on its way to the address you requested. The request then comes back through that same proxy server and then the proxy server forwards the data received from the website to you.

The proxy masquerades your real Internet Protocol (IP) address and substitutes it with another IP address, making it difficult to for hackers and other cybercriminals to target you online. This allows you to defeat restrictions and censorship. In addition, proxy servers do not provide any type of encryption.

Secure Notes

Secure notes is an all-encompassing term that is used to describe any credential that is not a password. This includes credit card info, national insurance numbers, online receipts, etc. All of the data that is contained in secure notes is encrypted in the same way that passwords are.

Sideloading

Sideloading is a term similar to uploading and downloading. It involves the installation of an 3rd party application on a mobile device without using the device’s official app distribution channel. These apps are downloaded from third-party app stores. Some of these apps are particularly vulnerable to malware infection due to the fact that they aren’t installed through official channels.

Split Tunneling

If you’ve decided to run your VPN off your router rather than through your devices or apps, split tunneling allows you to decide which of your traffic goes through the encrypted VPN tunnel, and which traffic accesses the internet directly with your regular IP. For example, you can choose to protect all of the computers on your network by routing their traffic through the VPN, but keep your printer open for normal traffic. This way, you can allow some people on the web to use the printer. This is a very useful feature to have because you can lose access to some services if you use a VPN.

Resuscitator

These are files that are designed to bring a software program back to life after it has been successfully removed from a computing device.

Social engineering

The concept of social engineering refers to a situation when an attacker engineers a social situation that encourages a potential victim to feel comfortable with the attacker and let their guard down. The attacker plays some sort of mind game with the potential victim, which allows them to accomplish their malicious goal.

Snooping and Sniffing

Cybercriminals can buy special kits and devices that allow them to access everything you’re doing online, from viewing pages you have visited to being able to capture your login credentials and even hijack your accounts.

Software Vulnerability

A software vulnerability is a security hole or weakness discovered in an operating system that renders it susceptible to exploitation by hackers.

Spoofing

Spoofing is the process of substituting a message from a shady source as coming from a recognized, trusted source. It can be applied to text messages, emails, phone calls, IP addresses, DNS servers and websites. Spoofing can also lead to the rerouting of internet traffic, which can lead visitors to malicious websites designed to steal information or distribute malware.

SSL

SSL stands for secure sockets layer. It establishes a secure link between your browser and the web server to ensure that eavesdroppers and hackers are unable to see what you transmit which is a must if you process sensitive information like credit card payments on your website. SSL and TSL can help you securely process that data so that cybercriminals can’t get their hands on it.

Your web server requires an SSL certificate to be installed on it. So, if you have a website and you want to establish a secure link between your web server and any browser that wants to have any access to your website, you need to install a current SSL certificate. This certificate will serve as proof that your web site is secure with SSL. So, any time a browser from around the world tries to access your website, it will check to see if the certification has expired before completing the connection.

Torrent IP leak

A torrent IP leak occurs while torrenting. Torrenting is typically anonymized and encrypted when you’re using a VPN. A torrent IP leak occurs when the torrent client unveils the user’s real IP address while torrenting.

TLS

TLS stands for Transport Layer security, and it is the successor to SSL. It is more advanced, and offers a higher degree of encryption and security. It is just a more recent version of SSL, and it fixes some security vulnerabilities in the earlier SSL protocols. As an end-user, you don’t need to worry too much about TLS vs SSL or whether you’re using an “SSL certificate” or a “TLS certificate”.

Two-Factor Authentication

Two-factor authentication –also known as 2FA – is a type of authentication method that requires presentation of two different authentication factors in order to access certain data on a password-protected site. Two-factor authentication is probably the most effective way of securing your online accounts because attackers have to crack your password and be in possession of your smartphone to gain access to your account.

Unlocked Phone

An unlocked phone is a phone that is not associated with a specific provider. This means that the phone can be activated on any phone service provider through the use of the provider’s SIM card.

Virus

A computer virus is malicious code named after the biological organism. A computer virus resides in your device’s hardware and software. Like the biological specimen, a computer virus steals resources from your use of the device and renders the device seem “sick,” i.e. slow or unresponsive. In some cases, a virus can be designed to destroy information or even render a device completely unusable.

VPN Protocol

A VPN protocol is the technology used by the VPN provider to ensure that you get a fast and secure connection between your device and their VPN servers.

Web Server

A web server is a computer that runs websites. The main objective of the web server is to store, process and deliver web pages to users using the HTTP protocol.

Website Spoofing

Website spoofing is the process of creating a fake website that is almost indistinguishable from the real thing. The aim of this scam is to steal your login credentials by getting you to login to the fake site. The best way to determine if a website is bogus is to look at the domain name area. A fake website will always contain a variation of the actual name. For example, instead of www.nike.com, the domain name will read www.nikesales.com.   

Categories
INTERNET SECURITY

Top 15 Ways to Harden Your WordPress Blog and Protect it From Hackers

Reading Time: 12 minutes

On average 30,000 websites are hacked every day (source Sophos Security Threat Report). It is estimated that WordPress makes up about 30% of all existing websites today. This popularity makes WordPress a massive target for hackers and malwar. Statistics show that more than 70% of WordPress installations are vulnerable to hacker attacks. 83% of the roughly 90,000 websites that get hacked each day are using WordPress.

This is why it is so important to take as many precautions as possible to secure your site. Now, if you have a small blog, you might be thinking “no hacker could possibly be interested in my tiny site“. Unfortunately, that’s the type of mentality that keeps you from taking any action to prevent these attacks from occurring in the first place.

It is important to realize that most attacks are automated. Hackers simply use software to automatically identify websites with vulnerabilities which they can take advantage of, no matter how big or small the websites are. So if you leave the front door to your website wide open, so to speak, they’re likely to just come right in.

Google have stated that they blacklist 10,000 websites that have been infected with malware every day and around 50,000 for phishing every week. If a site is blacklisted by Google, it will be removed from their index. This is what can happen to you if you don’t take proper care of your website.

Whilst you cannot prevent a hacker from attacking your site, there are things you can do to make their job as difficult as possible and to encourage them to go elsewhere. Read on to find out 15 things you can do today to reduce the risk of an attack and keep your website as safe and secure as possible from attackers and other threats that exist on the web.  

1. Change your WordPress admin username.

Changing the default WordPress username is one of the simplest and quickest things you can do to protect your WordPress site.  This is because the most common WordPress attack is focused on gaining administrative access to your website by attempting to log in with your admin user name. So, if your user name is admin, you’ve already given potential hackers half of the information that they need to gain admin access to your Web site.

When choosing a username, avoid using the following names:

  • Your domain name
  • Your first, middle or last name or full name
  • Any common English names
  • The name you use to moderate comments on the site

If you’ve already setup your blog, you’re going to have to change the username to something that is unique and hard to guess such as a name with alpha-numeric characters.

2. Use a strong password that is virtually impossible to crack.

A unique and complex password that is not easy to guess is vitally important for the security of your WordPress site. You can use the password that your WordPress site generates automatically. That password typically contains a variety of numbers, nonsensical letter combinations and special characters like % or ^. That is a very strong password. But the problem with that password is that it is impossible to remember.

A better option would be to use a passphrase, which would be a lot harder for a hacker to guess. A passphrase can be anything. It can be a phrase from your favourite song or your favourite quotation. It is always going to be longer than a password and contains dashes in between words such as this: “You-cannot-have-a-harvest-without-planting-a-seed.” But the main reason you’ll want to use a passphrase is that they will be a lot easier to remember, and they will be next to impossible to crack by password cracking tools.

Click here to learn how to create a strong and complex password that would be easy for you to remember.

3. Hide your username from being found.

An attacker can easily find out your WordPress administrative username by using a tool such as WPScan. They can also find your username by typing in ?author=1 into a browser. For example: www.domain.com/?author=1. If the author ID is valid then they will be redirected to the author URL, for example: http:://www.example.com/author/admin

It is the same process even when you change the WordPress administrative username. For example, if you changed the username to iron25dude, then by requesting the URL, the user will be redirected to http://www.example.com/?author= iron25dude.

WordPress usernames can also be found in the source code of blog posts and pages. This is why it is so important to hide the username, and avoid publishing anything using the WordPress administrator account username.

Take the following actions to avoid the display of your administrative username:

  1. Go to your profile page by going to Users -> Profile and make sure the First Name, Last Name and Nickname fields are populated. Note that the nickname field is typically auto filled with your username. The nickname allows you to set the display name to something other than your username or first and last name,
  2. From the Display name publicly as drop down menu, choose a name that should appear in blog posts, pages etc. You can choose something like Admin to give attackers the impression that you’re using admin as your username.
  3. The quickest way to hide the login page is with the WPS Hide Login plugin. However, note that this also means you’ll be adding yet another plug-in to your WordPress.

4. Disable error login hints.

By default, WordPress displays an error message if you type in the wrong username or password on the login page.

 For example, WordPress displays this error message when you enter the wrong username:

WordPress displays this error message when you enter the wrong password:

This may be helpful for you, but the problem is that it is also helpful for hackers because they now know which part of the equation they have to work on.  Furthermore, since WordPress 4.5, you’re able to login to your WordPress site with your email address instead of a username. All of this can make it easy for hackers to compromise your account. Removing these error messages will make it a lot harder for hackers to know what they’ve guessed right or wrong.

To do so, you need to edit your functions that PHP file by adding the following code:

function no_wordpress_errors(){

  return 'Something is wrong!';

}

add_filter( 'login_errors', 'no_wordpress_errors' );

This will  remove the default error messages from your login screen. Now if you or anyone else enters incorrect username, password, or email, WordPress would simply show the following error without providing any hints as to what you’ve typed in wrong. 

If you don’t feel comfortable editing the functions.php file directly, you can do this using the code snippets plugin.

5. Limit the number of login attempts that a single user can make.

By default, WordPress allows unlimited login attempts. This can lead to passwords being cracked through brute force attacks. Many people use plugins in order to prevent this from happening and to stop users from continually trying to enter a new password. You can use a plugin such as the Limit Login Attempts plugin to limit the number of times a user can enter a password.

However, this is not necessarily the best option because the plugin has not been updated in years. A better option would be the Brute Protect plugin, which is now owned by the creators of WordPress. You now have Brute protect as part of Jet Pack, which, as you may be aware, comes pre-installed when you install WordPress. All you have to do is go into jetpack and activate that from your plug ins. This plug in will protect your log in when it notices too many log in attempts.

If you don’t want to add yet another plugin to your WordPress site, you can secure your login page by pasting the following piece of code to your .htaccess file:

order deny,allow

Deny from all

Allow from xx.xxx.xxx.xxxx

This code will deny anybody from logging in to your site except for the IP address that you have specified in the piece of code. You can also include the IP address of anybody else that you want to allow access to your website.

6. Setup two-factor authentication (2FA) on the login page.

You can add an additional layer of security to your WordPress by enabling 2-factor authentication. This means that before anyone can login to your site, they will have to present additional pieces of information to gain access to the WordPress backend. You can configure this with the freemium plugin Google Authenticator – Two Factor Authentication. You don’t have to upgrade to the premium plan because the free plan is probably enough for what you need.

7. Set directory permissions carefully.

If you look through your directories and files in File Manager in your CPanel, you may have noticed a permissions column with various numbers. What you may not realize is that these numbers determine the level of access anyone can have to your website.

In the image below, you can see the permissions on the right, and you’ll be able to click on the permission number, enter the numeric value and click save, But what number should you change it to? Generally speaking, the lower the number that you have for your permissions, the more secure that directory is going to be.

But one number you must absolutely avoid when setting permissions is 777. This number will allow an intruder to gain complete ccess to your files. They can modify a file, upload malicious code and take over full control of your website. To protect the entire files system, including directories, subdirectories and individual files, set directory permissions to 755 and files to 644.  This becomes even more important especially if you’re using shared hosting.

8. Do some due diligence when choosing your shared hosting provider.  

Hosting can play a big part in just how vulnerable your website is. Shared hosting is the most popular type of hosting plan because of its relatively low cost. However, this type of hosting is also the most vulnerable to issues of security. This is because if you’re on a shared hosting plan, your website can be hosted alongside thousands of websites on a single web server. This means that all of those sites coexist in the same directory, and are accessible with the same FTP account. They also all use the same public IP address. This poses a certain amount of security risks.

For example, if any one of the hosted sites do not adopt proper security measures and gets hacked, then that hacker can use that access to attack other sites on the same server.

You can also opt for a managed WordPress hosting account, so you don’t have to share space with other website owners. If you must go with shared hosting, here are some things to check about security before signing up to a shared host:

  1. Supports the most updated versions of software such as the latest PHP and MySQL versions.
  2. Isolates one website’s environment from another with a Firewall.
  3. Have intrusion detection mechanisms in place for when there are intruders on your account.

9. Update your WordPress to the latest version

Updating to the latest version of WordPress is vitally important for the security of your site. If you’re not using the latest WordPress version, it means that you’re using software with known security vulnerabilities. Hackers are always on the lookout for loopholes that will provide the opportunity to get into sites. If you have not updated to the latest version of WordPress, you’re effectively increasing the security risk by leaving the door open to attacks.

Hackers can easily look at the WordPress security log to see the loopholes that have been fixed and take advantage of sites that aren’t up to date. They can then do an automated search for websites running these older versions, which will be easy for hackers to find. The good news is that WordPress automatically rolls out updates and informs users by email whenever they do so. 

10. Only login to your site from a safe and trusted computer.

When you think about protecting your WordPress website, you should also consider the computer you’re using to access the site. This is because the device that you use to login to your site can harm your website if it has already been infected. This is something to also consider if you’re working in a public place with an insecure connection such as a Wi-Fi hotspot.

No matter how secure we make our website, if the device that we are using to access the site then the chances off our website getting hacked is higher. Before you login to your website, be sure to scan the device you’re using for any viruses or malware by running antivirus software to make sure your computer is safe.

11. Hide your database from hackers.

A WordPress website consists of both files and a database, and all of the data on your website is actually stored in this database. This is why the database is a hacker’s favourite place to attack a website because it allows them to attack multiple WordPress sites simultaneously by running automated codes for SQL injections. The default database table prefix is wp_, so hackers tend to run automated code targeting that database table.

You can easily prevent this by renaming the database table when you are installing WordPress, and it doesn’t really matter what you rename this to. Just make sure that you pick something unique and that you stay away from the wp_ database prefix. If you’ve already installed WordPress, you may have to get a developer involved because you’ll have to change the prefix in several places.

12. Avoid WordPress plugin vulnerabilites.

Plugins are wonderful because of the functionalities they can add to your site. But the way you manage plugins is crucial to your site’s security. And that is because badly coded, out-of-date plugins or rogue plugins are enough to bring your entire site down.

According to a survey by Wordfence, 55.9% of WordPress websites were breached due to plugin vulnerabilities. This is why it is so important that pay particular attention to the way you manage pluginson your website.

Here are tips for keeping your site safe through effective plugin management

  1. Scan for WordPress plugin vulnerabilities. If you’re unsure about any plugin, start by checking WPScan Vulnerability Database, which lists plugins and their known vulnerabilities.
  2. Choose the right plugins. No plugin is 100% secure; but you can significantly reduce plugin vulnerabilities by doing some due diligence before installing them. This means only installing plugins from reputable sources like Code Canyon, the WordPress plugin repository or trusted third-party sitesHere’s what to check to find out if a plugin is worth installing:
  1. User reviews.
  2. Updates and compatibility
  3. Active installations.
  4. Support and documentation
  5. Average user ratings.

3. Update plugins regularly.

Out-of-date plugins are one of the most popular methods that hackers use to attack WordPress websites. Most times, plugin developers will release new updates for the plugins and include security updates. It is vitally important to keep updated to the latest plugins.

Chart of hacked WordPress sites
Chart by Visualizer Life

According to a Sucuri analysis, three popular out-of-date (Gravity Forms, Timthumb and RevSlider) plugins caused 18%of the hacked WordPress sites they looked at in Q3 2016. So, even if you choose the right plugins for your site, your site will still be at risk if you don’t keep them up-to-date. And the best way to keep your plugins updated is to enable automatic updates, which you can do with Easy Updates Manager. This plugin is free of charge.

4. Delete unwanted plugins. Go through your list of plugins and delete any ones that you are not using to avoid leaving yet another loophole for hackers to exploit. 

5. Only install well-maintained plugins. This means you should only use plugins whose last update was no more than a year from the last update. This is because when a plugin isn’t maintained, they’re going to become vulnerable to hacking. One great thing about WordPress is that for every plugin out there, there’s always one or two alternatives to choose from. Use as few, well-maintained plugins as possible.

13. Delete any themes you’re not using.

Another way to keep your site safe and secure is to delete any themes you’re not using. Not doing so can leave you wide open to hackers who will always try to inject malicious code into vulnerable themes So, the less you have, the fewer the chances are that they will succeed in doing so. If you ever decide to switch to a new theme, you can install several themes to identify the theme that you like or prefer to use on your site. But once you have confirmed your preferred theme, be sure to go back and delete the other downloaded themes so that no malicious code can be injected into any of them.

14. Keep a record of everything that happens on your WordPress.

It is important to take control of what is happening with your WordPress website. You need to know who’s logged in, where they are logging in from and what they are doing once they are logged in. The WP Activity Log plugin keeps track of everything that happens on the site in the WordPress activity log. Once installed, the plugin keeps track of everything that is done by everyone who has logged into the site.

15. Install a security plugin.

There are several WordPress security plugins available for your website. Here are 4 free and  freemium security plugins that you can use to protect your site and keep it safe and secure.

Wordfence

WordFence is one of the most widely used security WordPress plugins. it includes an endpoint firewall and malware scanner and will scan all your WordPress files including themes, plugins, posts and comments to look for malware infections.

Features:

  • Malware scanning
  • Monitors everything that takes place on your site, such as file changes, last logins and failed login attempts
  • Protects against SQL injections, XSS and all known attacks
  • DNS-level firewalls
  • Protects against brute force attacks
  • Improves site performance by blocking malicious traffic
  • There’s a free version and the pro version is $299 per year.

All-In-One WP Security & Firewall

The All In One WordPress Security plugin is comprehensive and 100% free. Unlike most of the other plugins, it doesn’t slow down your site. This powerful plugin covers various aspects of WordPress security, and is well supported and regularly updated. It has a user-friendly interface which makes it a lot easier to setup than most of the other security plugins. Security and firewall rules are categorized into “basic”, “intermediate” and “advanced”. This allows you to implement the firewall rules using a progressive points system.

Features:

  • Completely free
  • Scans for malicious patterns
  • Uses IP filtering to blacklist specific IP addresses
  • Allows you to generate strong passwords
  • Login lockdowns after failed login attempts
  • Website-level firewall

BulletProof Security

This plugin provides security for various types of online threats. The free plan offers a diverse range of security features including malware scanner, firewall, login security, DB backup, anti-Spam & much more. You can upgrade to the premium plan if you are interested in advanced security features, but the basic plan is sufficient to secure most small business websites.

Features:

  • Completely free
  • Scans for malware
  • User-friendly interface
  • Automatically logs out idle sessions
  • Protects logins
  • Database backups
  • Firewall protection

Cerber Security, Antispam & Malware Scan

Cerber Security, Antispam & Malware Scan is a free to use security plugin. This plugin mitigates brute force attacks by limiting the number of login attempts. The plugin defends against hacker attacks, spam, trojans and malware. Additional features offered for a premium plan.

Features

  • Reduces brute force attacks
  • Limits login attempts
  • Automatically identifies and deletes spam comments
  • Advanced malware scanner
  • Two-factor authentication
  • Hides wp-admin for users that are not logged in P
  • rotects wp-login.php, wp-signup.php and wp-register.php from attacks.

Conclusion

So, there you have it. Securing your WordPress site from online threats should be a priority. I hope you now have the info you need to choose the ideal security tool for your needs.

Categories
CYBER SCAMS

Phishing Attacks – How They Work

Reading Time: 8 minutes

Phishing is one of the oldest and most common online threats used by cybercriminals to trick users into revealing sensitive information or installing malware by way of email.

Email phishing is the most widely known form of phishing where scammers send fake emails that seem to come from authentic sources in a ruse to get users into revealing personal and financial information. However, attackers can also use phone calls, text messages or social media to try to fraudulently acquire your details.

While some very complicated schemes can be devised, virtually all types of phishing are based on a basic concept: millions of untargeted phishing emails are sent out each day asking for confidential information or encouraging recipients to visit a fake website where they’re asked to update personal information.

What phishers will do is message customers with an email ostensibly from a trusted organization (such as Microsoft, your bank, Facebook, PayPal, Amazon, etc.). They know that people are more inclined to pay attention to those types of messages.

Sometimes, it can be practically impossible for the average customer to determine that the email message is not the official one of the organisation it is meant to come from. This is because it will often have the organisation’s logo and format and will look exactly like the organisation’s official email. The “From” field of the e-mail may have the .com address that looks like the company’s official website. The message will usually include a spoofed link that you can follow to conveniently login to a webpage and update your information. But the website is a spoofed version of the legitimate site. It was established with the sole purpose of stealing your personal information or infect your computing device with malware.

While this is a basic example of how phishing generally works, there are numerous accounts of increasing complexity that are typically used to try to steal confidential information. With the huge increase in remote working thanks to COVID-19, cybercriminal activities like phishing continues to be on the rise. According to security experts, as many as 3 in 10 workers worldwide clicked a phishing link in 2020. In the US, it’s 1 in 3.

So, how did these scammers get hold of your private email address in the first place? Well, here are a few methods they use.

  1. They use bots to harvest email addresses by crawling the web for the @ sign. If your email address is publicly available on any website, a scammer is likely to find it and add it to their database.  
  2. They buy lists legally or through the dark web. This is why it is important to read the privacy policy before you sign up or submit your details to an online service. You need to know exactly what they are going to do with your email address.
  3. They use specialist tools to generate common usernames and pair them with well-known domains. For example, they might send email to maryj@gmail.com, davidhamilton@yahoo.co.uk and thousands of other combinations of names.

Examples of phishing attacks

Since the first lockdown in March 2020, the number of sites impersonating online services have skyrocketed. In fact, during the first lockdown period from March 2020 to July 2020, at least 1 in 5 people worldwide received phishing emails related to covid-19. In addition, phishing email scams targeting Netflix subscribers have increased by 646%. Cybercriminals have also faked the email addresses of the NHS test and trace service, the HMRC, Amazon and Tesco. Email phishing scams have also targeted at drivers where they are asked to verify their driving license details or highlight a failed tax payment asking for banking information.

Another type of phishing scheme involves sending out emails targeting customers of well-known carrier companies. The expectation is that only very few recipients will respond. For example, over the festive period, a number of users received fake emails claiming to be from Royal Mail and delivery firm DPD, informing them that they had been unable to deliver their parcel. The legitimate looking emails asked recipients to click a link to pay a shipping fee so the parcel could be re-delivered. People who were actually expecting a package reported being caught out by the spam.

If you have any suspicions that an email or text message that you get is a phishing attempt, your first step should be to contact the company immediately. What you should also realize is that most legitimate businesses will never ask you for your password in an email. Your usernames and passwords are personal to you. You should never give your login credentials to anyone who asks you for them.

Phishing attack types:

Spear phishing

Where most phishing attacks typically cast a wide net, spear phishing are often personalized and targeted at a specific and well-researched individual, business or organization. As with other phishing attacks, the aim is to infect the recipient’s computer with malware or to steal information. Attackers tend to use information gathered from sources such as social media and other public platforms to hone in on their target. For example, if you let it be known that you will be travelling to the Caribbean on holiday, you may receive an email from a “colleague” that recommends an eatery to check out. If you click the link or attachment that is included in the email, malware is likely to be downloaded into your computer.

Smishing

This type of phishing attack is delivered to smartphone users through text messages, enticing you to click on link in the message. For example, a victim might receive a text advising that your bank account has been disabled due to suspicious activity being detected on your account, and to click a link included in the text to recover your account. These links are always dangerous and you should never click on them. They’re designed to direct you to spoofed websites that impersonate your accounts and attempt to infect your phone with malware or steal information. Some text messages specifically target HSBC customers. These messages are sent out to thousands of mobile numbers in the hope that it will reach some HSBC customers.

Social media phishing

Cybercriminals use social media sites such as Facebook as a platform to launch cyberattacks designed to steal personal information or spread malware. Some attacks are even used to hijack your accounts to attack your friends.

Examples of social media phishing attacks:

  • You receive an email claiming to be from Facebook that your account has been ‘reported for abuse’. You’re then prompted to login to a spoofed Facebook login page to provide personal information and update your credit card info to prove that your account is legit.
  • You may be prompted to like and share innocuous-looking photos of puppies and other animals on Facebook. These photos are actually posted by cybercriminals to generate tons of likes and shares. Once the photo has received a large number of likes, the fraudster will link the photo to a fake website that downloads malware to the computing device of anyone who subsequently clicks on that photo.
  • During the holidays, you’re likely to come across fake coupons from the major supermarkets, offering a certain amount off your next purchase. The ploy is to get you to fill out the details, which means you will be handing over your personal information to fraudsters.

Search engine phishing

This type of attack occurs through search engines. Cybercriminals setup well-optimized but fraudulent websites that can appear in the organic search results for popular keywords or search terms.

Voice phishing

With voice phishing (also known as vishing), the scammer impersonates a government agency or other organisation on the phone and tries to extract money or sensitive information such as banking details. Vishers use fear tactics to dupe you into thinking your money is in danger and you must act quickly. They threaten people with police arrest, deportation, license revocation, etc. Personal data can be gathered from social media profiles, providing fraudsters with sensitive details to make cyberattacks appear more legitimate. Fraudsters often spoof phone numbers to disguise the real origin of the call.

Pharming

Pharming is when a hacker manipulates the internet’s domain name system (DNS) by rerouting web traffic to a fake website with the aim of stealing confidential information. These “spoofed” websites can steal your personal data, including usernames, passwords, and banking information, or even install malware on your computer. This type of cybercrime is particularly worrisome because you can have a completely virus-free computer and still fall prey to cybercriminals.

How can I spot a phishing email scam?

The fact of the matter is, anyone can make a mistake.

It only takes a split-second lapse in judgement to fall into the hands of an attacker.

Fortunately, many phishing attacks often share the same warning signs that reveal their true nature as a phishing attempt.

According to Action Fraud, the following characteristics are common to phishing scams:

  1. One of the most obvious signs of a phishing email is that the sender’s email address will always be different from the web address of the legitimate organisation.
Notice a misspelling in the URL that claims to be from Facebook.

2. Most phishing emails often use generic greetings. Most legitimate companies have enough data about their customers to address them by name when communicating with them by email. This lack of personalization is often enough to help separate real emails from fake ones.

3. Never download an attachment from an unsolicited email even when you recognize the sender, as their email might have been hacked. The risk is simply not worth it.

According to the 2019 DBIR, email attachments were the leading cause of malware delivery in 2018 cyber incidents, with 45% of malware coming from attached Microsoft Word documents.

Account disabled phishing scam

3. Phishing email attempts will often seek a quick and emotional response from the recipient using inflammatory or threatening language, such as that your account may be terminated unless you act immediately.

4. The email contains a clickable link to a different site than the one it purports to come from. The destination web address might look like the proper address, but you should always realise that even a single character’s difference means you’re going to a different website.

5. The destination address looks fishy. If the email contains a clickable link and you want to find out where it leads without clicking the link, simply hover your cursor over the link and look at the URL in the bottom left corner.

6. The email includes a request for confidential details such as login information or bank details. Always keep in mind that most legitimate companies never ask for personal details in an unsolicited email.

7. The email claims to be from a leading brand, but is full of spelling and grammatical mistakes.

How can I avoid phishing attacks?

Phishing messages are getting more sophisticated and harder to spot. No matter how observant or vigilant you are, some may still get past you. Here are some tips to help you spot the most common phishing attacks.

  • Configure a spam filter that detects blank senders, spam, viruses, etc.
  • Always hover your mouse over links in emails to check where you’re being directed to.
  • Be especially wary of emails that try to put pressure on you to perform a specific action.
  • Update your operating system and applications with the latest security patches and updates.
  • Get a premium VPN that blocks malicious websites.
  • Install antivirus and antimalware
  • Convert HTML email into text only email.
  • Be wary of emails with links or attachments from people you don’t know.
  • Do not click on links from unfamiliar sources
  • Do not enter your personal details in to any website on the basis of an unsolicited email.

Suspicious Email Reporting Service

National Cyber Security Centre

Report a Suspicious Email to PayPal

Cyber Aware

Categories
CYBER SCAMS

Recruitment Fraud – How to Avoid Being Scammed

Reading Time: 4 minutes

With the unemployment chaos and hardship brought on by the Covid-19 pandemic, fraudsters are targeting vulnerable job seekers who are looking for work. Scammers will take advantage of every opportunity they can find, and the on-going pandemic has created a perfect storm for fake job scams to thrive. This scam has been so rampant that is has prompted some big brands to go as far as releasing public announcements stating that they never ask for money during their recruitment process.

Read on to recognize how this cruel scam works so that you know how to prevent yourself from becoming another victim of a recruitment scam.

How do fake job scams work?

Recruitment scams make it appear as if you’re being offered a job role. But in reality, there is no job, and the scammers are simply trying to get at personal information that you as a job seeker would freely provide to prospective employers. These include your full name, proof of address, social security number/national insurance number, bank details and copies of your passport. The scammers can then use these credentials to assume your identity and raid your bank account, apply for personal loans and mobile phone contracts or set up fake businesses in your name.

Recruitment scams are generally well organized and sophisticated, often using fake recruitment agencies and conducting telephone and video interviews with applicants. Some job scams even go as far as offering you employment. This can make it difficult to spot a fake job offer until it’s too late.

A fake recruitment scam typically begins with scammers flooding the jobs market with fake advertisements targeting people who are looking for work. You may discover several enticing job offers on the largest and most rusted job sites such as Indeed, Reed, CV-Library or LinkedIn. And even though they might establish fake companies to facilitate the scam, scammers can also spoof real companies and steal the identities of HR managers and recruiters to make their scam appear as authentic as possible. So, just because you find an enticing job offer on a big job site doesn’t mean that the offer itself is genuine.

Some recruitment scams also involve getting you to pay for fake online training to improve your CV so that you can be considered for the role. These bogus courses may look like they were put together by professional organisations, and you may even be provided with a certificate when you complete the course. In addition, you might be asked to complete a bogus background check that costs £50.  

What to look out for:

Fake job openings can sometimes be hard to spot. Fortunately, there are things you can do to prevent yourself from becoming a victim of a recruitment scam. Before you apply for any ‘hot job’, review the following warning signs that might indicate that the job offer is actually fake.

Does the company have a professional website?

Never assume that a job is legitimate just because the ad for the job is on a well-known platform. If you come across a job listing that looks very enticing, take the time to research the company before you apply. Start with the company’s website. If they don’t have one or the site is unprofessional or thin on content, consider that a red flag. A genuine company will have professional-looking website with real information about the company.

Look up the WHOIS information on the website to find out how old it is. If the company was only launched a few months ago, consider that another major red flag. Does the company have an active social media presence with genuine followers? If the company is not present or active on social media, it is probably safe to conclude that you’re actually dealing with a job scam.

Does the job offer sound too good to be true?

Steer clear of job listings that offers you above average income for part-time hours or where the qualification requirements are very low. Job scammers often list job requirements that are very simple to get as much interest in the role as possible. When searching for a job in your field, you should have a clear idea of the average salary your job pays, so you should be able to tell when a salary is unrealistic. If the pay rate is far higher than you would typically earn, consider this to be a major red flag. Remember, if it sounds too good to be true, there’s every chance that it is.

Check for grammar and spelling

Genuine businesses employ professional writers, and their job descriptions are always carefully worded and written with attention paid to things like punctuation, grammar and spelling. If the job requirements or description is poorly worded, vague, or is littered with capitalization, spelling and grammatical errors, consider these to be a big warning sign that the job is probably not real.

They ask you for money or confidential information
Legitimate businesses will never ask you for confidential information or to pay for something as part of the application process. On the other hand, job scammers often ask for bank account details, national insurance numbers and other confidential info as part of an elaborate scam.

If the job is a sensitive role in that it involves working with children or vulnerable people, you’ll be required to complete a DBS check. But before you do so, ensure the website is listed here: dbs-ub-directory.homeoffice.gov.uk/.  If you are required to take a course prior to starting work, verify that any course you are asked to take is provided by an accredited firm on nmj.cipd.co.uk/qualification-finder.

They offer you a job right away.

If a company contacts you out of the blue and wants to hire you right away based on your CV which they found online, you should be very wary of that job offer. Legitimate companies will always have a formalised procedure which involves at least a formal interview. You should be wary of any vacancy that offers a job without an interview process, as it is likely to be fake.

For more information on how you can protect yourself from recruitment fraudsters, visit: www.safer-jobs.com

If you have been victim of recruitment fraud, contact Action Fraud on 0300 123 2040.

Have you been a victim of a fake job scam? Please share your story in the comments.

Categories
CYBER SCAMS

LinkedIn Scams – How to Avoid Them and Protect Yourself

Reading Time: 4 minutes

As the world’s largest professional network, LinkedIn is probably the last place you would expect to be associated with internet scams. It is a powerful platform that you can use to cultivate professional business relationships. But cybercriminals target websites with large user bases, and LinkedIn’s 760 million members are very attractive to them. Furthermore, LinkedIn provides attackers with easy access to a treasure trove of personal information and corporate data that can be used to commit a range of cybercrimes such as spear phishing attacks and identity fraud.

Here are some of the most prolific LinkedIn spams to watch out for in 2021.

Phishing emails

LinkedIn phishing emails are fraudulent emails that are designed to fool the unsuspecting recipient into thinking that they have received an email from the social network. LinkedIn is the world’s most trusted social network, and that trust is why emails with “LinkedIn” in the subject line have an open rate of almost 50%.

Here are the most common LinkedIn phishing emails:

Bogus connection requests

Fake connection requests from fake users is one of the most prevalent scams on LinkedIn. LinkedIn members get used to clicking on links in these messages, and therein lies the threat. The email will look like an authentic LinkedIn email, with the exact LinkedIn logo and branding. It may also ask you to click the link to “visit your inbox now”, or ask you to “accept” or “ignore” the invitation. If you click any of these links, you are will be directed to a spoof webpage mimicking the official LinkedIn website where you will be prompted to type in your login credentials. The aim is to steal your personal information which can be used to commit identity-related fraud.

Cloned profiles

A LinkedIn profile gets cloned when a fraudster creates a brand new LinkedIn account in your name. When the account is created, the fraudster will copy all of your personal information to the fake profile, including photos, projects and credentials that they find on your account to make it look identical to your own profile. Once the cloned account is setup, your connections might receive a LinkedIn message from the fraudster that includes a malicious, active link for your connections to click on.

Fake support emails

Fraudsters send you a bogus email pretending to come from LinkedIn support. The email will often contain a clickable link to a bogus webpage where you’ll be prompted to confirm your login credentials by clicking on the link. In some variations, it might also say that your LinkedIn account has been blocked due to inactivity. Clicking on the link in the email can result in malware, spyware or some other type of malicious software being downloaded to your device. Alternately, you may be taken to a bogus LinkedIn webpage where you’ll be prompted to enter your login credentials.

What to do if you receive a fake LinkedIn message

  1. Do not click on links in emails that purport to come from LinkedIn unless you are absolutely sure of its source. You can check where the link is going by hovering over it. As you do this, look at the bottom left of your web browser, which will show you where you will be taken to on clicking the link. If it shows anything other than LinkedIn’s home page, you can be sure that you’re dealing with a scammer.
  2. Create a stronger password straightaway.
  3. Increase the security of your account by setting up two-factor authentication.
  4. Contact LinkedIn support.

Fake LinkedIn profile

There has been an explosion of fake LinkedIn profiles created by scammers for a variety of purposes. Some scammers create fake profiles to pose as recruiters or candidates in order to attract new connections. For example, a scammer might create a bogus profile pretending to be a job candidate so they can connect with other candidates who are in the same field. The goal of the spammer is to earn your trust and agree to connect when they send you an invite.

But connecting with a fake LinkedIn profile can give scammers a lot of important information about you, including details about your history and contacts. In addition, when you accepted their invite, fraudsters also got access to your LinkedIn email address. They can now check that email on sites like haveibeenpwned.com to find out if you’re using the same password on multiple sites.

Once you accept their invite, scammers will leverage this trust to send you messages that could contain malicious links. You might also receive fake job offers designed to steal personal information and other devious schemes. So, if you receive an invitation to connect with someone you don’t know on LinkedIn, be sure to check out the user’s profile before you accept that invitation.

How can I identify a fake LinkedIn profile?

It is important to know how to spot fake LinkedIn profiles so that you can avoid connecting with them. There are certain things to look out for that will indicate you’re dealing with a fake profile.

1. Fake photo

This is probably the most obvious sign that you can use to identify a fake profile. Scammers know that a profile without a photo is less trustworthy than a profile with a picture, so they tend to use professional, stock images for their photos. If you have reservations about a particular profile, you can check whether the photo is legitimate by doing a reverse image search of the photo on Google.

  1. Go to images.google.com
  2. Click the camera icon
  3. Paste in the URL for the image.

Google will show you where that image has been used online. If you see that the profile photo is a stock photo from Shutterstock, Getty Images, etc. or has been used on multiple LinkedIn profiles, then there’s very little doubt that you’re dealing with a fraudster.

2. Thin content

Fake profiles will have sketchy background information about the person that just doesn’t add up. It will often be incomplete, lack cohesiveness and contain generic work titles such ‘Manager’. Real profiles often contain relevant information that helps you understand the user’s background. If a LinkedIn profile lacks any meaningful information about the member, it is highly likely that the profile is fake.

3. Poor spelling and grammar

Many fake profiles will often have general presentation issues such as poor grammar and misspellings. The name might be spelt in all caps or all lowercase. Generally, these types of errors in a profile should raise a red flag.

If you come across a fake profile, follow these steps to submit a report:

  1. Click the More icon on the member’s profile.
  2. Click Report/Block
  3. Select Report this profile in the window that pops up.
  4. Select a reason why you think the profile is suspicious.
  5. Click the submit button to complete the process.

Categories
CYBER SCAMS

Impersonation Scams – What You Need to Know

Reading Time: 5 minutes

An impersonation scam occurs when a person is tricked into making a payment or providing sensitive information to a fraudster that claims to come from a trusted organisation such as a bank, the police, a utility company, or a government department such as the HM Revenue & Customs (HMRC). Almost 15,000 impersonation scam cases were reported in 2020, up 84 percent when compared to the same period in 2019.

Top impersonation scams

Clone firm investment scams

Clone firms are bogus companies that have been setup by fraudsters using the details of genuine companies authorised by the FCA (Financial Conduct Authority). With this scam, legitimate Investment firms are impersonated to trick people into parting with their cash. Victims are often contacted via social media platforms, marketing emails or search engine channels. Clone firms may offer you investments in products such as student accommodation, cryptocurrency, FX, shares and bonds that are non-tradeable, worthless and even non-existent. According to the FCA, consumers reported average losses of £45,242 each when investing with fraudsters impersonating legitimate investment companies.

How do clone firm scams work?

The process begins with fraudsters setting up a cloned website using the name, address and Firm Reference Number (FRN) of legitimate firms authorised by the FCA. Many of the content on the bogus website will be the same, but the contacts will be changed so that when you try to get in touch with the legitimate firm, you’ll be corresponding with the fraudsters instead.

How can I avoid being scammed in this way?

Clone firm scams are highly sophisticated, and often very difficult for ordinary people to spot. Even if you do some due diligence by checking the FRA register, it isn’t enough because you’re dealing with impersonation of a legitimate firm. This means the Firm Reference Number will be genuine. In fact, fraudsters often encourage victims to check the FRA register as proof of their legitimacy. If you are currently considering an investment opportunity, here are tips offered by the FCA to avoid falling victim to this scam.

  • Check out the regularly updated warning list of firms that you should avoid doing business with.
  • Only deal with investment firms on the FCA register to ensure you’re dealing with an authorised firm.  
  • Use the phone number on the FCA register to ensure that you are dealing with the legitimate firm.
  • Consider getting impartial advice before going ahead with the investment opportunity.
  • Contact the FCA’s consumer helpline for advice.
  • When researching a company online, make sure the name of the firm is spelt correctly.

Make sure you check the register by typing register.fca.org.uk because the Register has also been cloned by fraudsters.

HM Revenue & Customs (HMRC) Scams

In the UK, scams impersonating the tax authorities have been going on since at least 2016. HMRC is a key target for fraudulent campaigns mainly because it is a government department and one of the UK’s most trusted bodies. Media reports suggest that nearly 1 million people in the UK have received calls, emails, texts or emails from criminals impersonating tax officials in the last year. According to the National Trading Standards eCrime unit, HMRC scams are most prevalent around paper and online tax deadlines.

Tax refund email scams

Millions of self-employed Brits who file Self-Assessment tax returns each year are the primary targets for tax refund scams, especially in the run up to January’s tax return deadline. Around this time, many received legitimate-looking emails with the HMRC logo that claims they are owed a tax rebate to help protect themselves from the coronavirus (COVID-19) outbreak. The aim of these scams is to trick you into providing sensitive information such as your bank details.

Tax scam emails are becoming increasingly sophisticated, and can be hard to spot because they often appear to come from official government email addresses. They contain the taxman’s official GOV.UK logo, along with the crown. They can also include official-style reference numbers, reference your government gateway account, and are even signed off with the name and/or signature of a real HMRC employee.   

How to spot fake HMRC tax emails:

Fake HMRC tax emails are becoming increasingly difficult to differentiate from the real thing. HMRC have also admitted that many smart fraudsters now have access to falsified ‘from’ addresses to look like an authentic HMRC address, for example ‘@hmrc.gov.uk. But here are a few things to keep in mind that should make it easier spot a fake email purporting to be from HMRC:

  • Spelling errors and mistakes with the email’s text is an obvious give away.
  • HMRC does contact people about outstanding tax bills, and uses automated messages at times. However, these calls will always include your taxpayer reference number.
  • HMRC will never ask you to disclose confidential information such as your full address, postcode, Unique Taxpayer Reference or bank details
  • Be suspicious of tax emails that pressure you to act immediately. HMRIC have confirmed they do not make these types of threats or demands.
  • HMRC will never send an email or text asking for sensitive information like bank details or personal information for tax rebates or refunds. They only ever send such letters by post. If you’re asked to share sensitive information like bank details to get a tax rebate, you can be 100% sure that it’s a scam.
  • Be cautious of an email that starts with a generic greeting such as “Dear customer”. Emails from HMRC will always use your registered name.
  • HMRC will never provide a link to a secure login page. Customers are advised to avoid clickable links within emails and text messages and navigate directly to the secure website and log into accounts directly.

What to do if you receive an email you suspect might be fake

If you receive such an email, HMRC requests that you forward all suspicious emails to phishing@hmrc.gsi.gov.uk for investigations. You can forward suspicious text messages to 60599. Text messages will be charged at your network rate. And if you have cause to believe you may have fallen victim to such a scam, you are advised to report the matter to your bank/card issuer ASAP. 

If you are ever unsure about the legitimacy of an email, here’s HMRC’s phishing email guide that provides some insights into how to recognize a fake tax email. HMRC have also published guidance on what’s genuine HMRC communication, and what’s bogus.

HMRC Phone Scams

HMRC phone scams involving criminals impersonating a tax official are often targeted at the elderly and vulnerable. They typically begin with an automated call from “Officer xxx from HMRC” with a warning that there is a criminal court case filed against you and a warrant out for your arrest.

You are urged to call the number provided in the call immediately. On calling that number, you’re likely to be informed that you have an outstanding tax bill that requires urgent payment. You may also be threatened with a criminal record if you refuse to pay. The amount of personal information that the professional-sounding man shares about you is likely to convince victims that the impersonator is genuine.

Tax scam text messages

One of the most widespread messaging scam is bogus notifications from HMRC. Cybercriminals use text message spoofing where they substitute the SMS sender ID to make the message appear to come from HMRC rather than a phone number. These messages will typically include hyperlinks to websites that will harvest your confidential information or download malware to your device.

Examples of messages you might receive include:

  • Tax refund: Recipients are told they are entitled to a tax rebate and to click on the included link to claim their refund.
  • Goodwill payment: A Covid-19 scam informing customers they are entitled to a “goodwill payment” with a link where you can apply for this payment.  Here’s an example of the scam wording: ‘As part of the NHS promise to battle the COV- 19virus, HMRC has issued a payment of £258 as a goodwill payment. Follow link to apply.’.
  • ‘£250 fine’ text message: This text message claims you are going to be fined £250 for leaving the house more than once. The message also includes an 0800 number to call to appeal and a link for more info.
Categories
CYBER SCAMS

How to Easily Spot and Avoid Instagram Scams

Reading Time: 4 minutes

With over 1 billion active monthly users, Instagram is now the most popular photo and text sharing platform in the world. 100 million users login every day to share everyday activities and moments. Unfortunately, this popularrity has also made Instagram become a regular hunting ground for ruthless attackers. According to the BBC, Instagram fraud reports hae increased by almost 150% since the pandemic began. And if you don’t have your guard up, you might unwittingly become the next victim of the numerous scams that proliferate on the platform.

Read on to learn about some of the most common scams on Instagram so that you can protect yourself, your money and your identity.

Counterfeit products

According to a study by analytics company Ghost Data, fake brand accounts selling counterfeit goods have almost tripled on Instagram over the last three years and account for 65 million posts a month. The most commonly faked products are bags, shoes and clothes by high-end retailers such as Apple, Gucci, Nike and Louis Vuitton. These fake accounts boost their popularity with fake likes and followers and make consistent posts that help to make them look like the real deal. Ghost Data estimates that as much as 20% of all posts covering fashion promote fake products and more than 50,000 accounts are hawking counterfeit products every day.

To avoid getting scammed, check the account you want to buy from carefully. Is the account verified? The big brands should have a blue verification badge on their account. Click the link on the account to find out at what the URL links to. Most importantly, use common sense and consider whether it makes sense for a traditionally expensive product to be offered at such a low price. If they have odd payment methods, that should be another major red flag.

Fake Investment schemes

One of the most prolific scams on Instagram are the fake investment schemes that are has ensnared many young people. The scam targets followers of financial institutions on the platform. According to an Action Fraud report, hundreds of young people aged between 20 and 30 are increasingly falling for these cheap “get rich quick” schemes which has cost 164 victims £358,809 in the UK alone. The scam often begins with a direct message that lures the unsuspecting user to an awesome looking Instagram page featuring a man surrounding himself with exotic cars and private jets.

The criminals convince their victims to hand over money with the promise that they will multiply their value by trading on the stock market or by buying and trading foreign currency. The scam promises a massive return on a £600 investment within 24 hours. The feed of the page contains genuine-looking proof in the form of images, testimonials, reviews and videos. But shortly after, the scammer gives the victim excuses as to why they cannot return their money and profits unless more money is sent. Eventually, the victim is blocked from contacting the scammer.

You can avoid falling for this scam by not responding to direct messages that include requests for money from strangers. Before you sign up to any investment-related offers, always verify the identity of the supposed financial company with the Financial Conduct Authority (FCA) or the Securities and Exchange Commission (SEC).

DM Phishing Scams

There are several variations of this scam. For example, you might get a direct message supposedly from Instagram claiming that your account has been hacked or that you’ve been approved for a verification badge. In other cases, you might get a message that your photos have been featured on a porn site, or a message warning that you’ve infringed upon an image’s copyright and will need to fill out a form to avoid having your account suspended.

Whatever the case may be, the aim of these types of messages is to get hold of your login credentials. These messages will usually include a malicious hyperlink. If you click on the link, you’ll be taken to a fake Instagram login page where you’ll be prompted to login with your email address and password.

Here’s what can happen if you do login to that page:

  • You’ve provided your login details to a fraudster.
  • You will usually be locked out of your account.
  • Your identity is likely to be stolen.
  • The scammer will attempt to login to all of your online accounts.
  • Malware will likely be sent out to your followers, friends and contacts. 

Use common sense when dealing with any message you receive. Avoid clicking on links that are included in any of these type of messages. You may also want to enable two-factor authentication to protect your account.

Fake giveaways

Giveaways are generally used as a legitimate marketing tactic, but some are scams with non-existent prizes. The main aim of these fraudulent giveaways is to gather as much personal information as possible. The best way to identify a fraudulent giveaway is by looking at the account sponsoring the promotion. If the account has an official company name plus “giveaway” as it’s username, it’s probably fake. When real companies have a giveaway, they don’t create a separate account or the giveaway. They do it through their official account.

Useless courses

This scam consists of rip-off courses and workshops promoted by so-called experts. Aspiring bloggers and influencers are often caught out by this scam. Before you spend big money on courses, it is important to vet them carefully. Ask for unequivocal money-back guarantees and testimonials from previous students.

Have you been targeted by fraudsters on Instagram? Please share your story in the comments.

Categories
CYBER SCAMS

Facebook Scams: How to Stay Safe and Secure

Reading Time: 12 minutes

If you have a Facebook account, you must realize that you’re at risk of being targeted by fraudsters. With opportunistic criminals doing everything they can to take advantage of a user’s social and psychological naivety, it’s no surprise that scams on social media are at unprecedented levels, and Facebook’s 2 billion+ monthly active users makes the platform super-attractive to fraudsters looking for potential victims. 

Read on to learn about some of the most common scams that have occured on Facebook.

On average, over 4.75 billion items are shared by Facebook users each day. Many of these items include links posted to open community fan pages. Unfortunately, many of these links are primarily designed to redirect you to pages that have been infected with different types of malware. Be aware that, unlike in the past, viruses can be downloaded to your computing device just by visiting to an infected webpage.

  • Whenever there’s a big news story, attackers will hijack the story to create posts that contain malicious, clickable links and post them all over Facebook. Clicking the link often leads to a blank page, and users might think they’ve simply clicked on a bad link. But just by visiting that page, malware has already been downloaded to that user’s computing device.
  • Attackers create posts with sensational headlines that are designed to appeal to your emotions and entice you to click on the link. For example, “Win a free iPad!” or “Win a trip to Dubai!” More often than not, these posts are scams. They’re an attempt to get you to enter your personal information into a bogus webpage that you’re taken to once you click on the post.
  • If any of your friends’ accounts have been hacked, attackers will often create posts that contain malicious links and post them on your timeline. The fact that the post was shared by a friend is designed to lure you into a false sense of security that the link in the post is safe because it is coming from your friend.
  • Fraudsters use links to videos with the tag “is this you?” or “Hey (your name), what are you doing in this video lol! ” The message will be sent from someone you’re friends with on Facebook. The aim is to get you to click the link, which either directs you to an infected page or asks you to download an application to view the material.

Spoofed Facebook Phishing Emails

According to Vade Secure, a company that specializes in email security, Facebook ranks second in their list of most impersonated brands in phishing campaigns. These campaigns can take several forms. In one example, potential victims are told in an email that their posting privileges have been temporarily restricted for violating Facebook’s standards.

You may also receive fake notification emails. Basically, they spoof Facebook’s email messaging service to make it look as if you have an official message from the platform. The main objective is to get you to click on a malicious link to a bogus Facebook page. Cybercriminals can also develop spoofed Facebook webpages that mimic the real thing. Once you login with your username and password, you’re handing over your credentials to the cybercriminals that created the page.

If you come across a webpage that prompts you to re-login to your Facebook account, take a good look at the address in your browser’s address bar. It must read ‘facebook.com’. Close any page that either doesn’t start with www.facebook.com or contains something between Facebook and .com. The page is fake.

Hijacked Facebook accounts

Unfortunately, Facebook hacks occur quite often. The New York Post reports that as many as 160,000 Facebook accounts are compromised every day. When an attacker hacks into a Facebook account, the victim’s connections are often the targets, not the account owners themselves.

The attackers can exploit your family and friends by reaching out and asking for money. They will look through your message history to identify the people that you interact with the most. They will then impersonate you and engineer some kind of crisis to convince the people who care about you to send money to a special account to help you out. Some messages will include a malicious link that infects the devices of people that click on it with malware or leads to a bogus web page designed to steal personal details.

Fake vouchers

For years, fraudsters have been flooding Facebook with tons of discount vouchers supposedly from the likes of the biggest supermarkets and high street stores such as Primark, Waitrose, Morrison’s, Tesco, Aldi and Sainsbury’s. The post includes a clickable link that takes victims to a bogus website where they’re prompted to enter personal information.

Users are also asked to share the voucher with their friends on Facebook. These vouchers exist to steal your personal details and infect your device with malware. As mentioned earlier, simply clicking the link to check out the website is sufficient to download a virus to your computer.

Examples of fake vouchers:

Facebook ad scams

Scam ads on Facebook are bogus ads created by cybercriminals that are designed to not only con people out of their money, but to steal their identity as well as their financial details. According to consumer group Which?, scam adverts aimed at UK consumers have conned almost one in ten people into paying for sham purchases. To facilitate their scams, cybercriminals hijack Facebook accounts and run fake ad campaigns through those accounts using stolen credit cards. Even if those ads only run for a few hours before getting terminated, a few hours are all fraudsters need to see massive returns.

The subscription trap.

The subscription trap is a scam that is targeted towards baby boomers, and different variations of the scam have appeared on Facebook and various search engines. The scam begins with an ad in your news feed that features an intriguing story about one of your favourite celebrity likes. When you click on the ad, it takes you to a fake news article on a spoofed website that mimics Fox News, TMZ, or People magazine. According to the article, the celebrity has created an amazing new skin cream that they can try for a small fee. Model Christie Brinkley was actually used in one of these fake celebrity endorsements for a fake anti-aging skin cream scam. You are encouraged to make a small credit card payment for a “free trial” of the product. At that point, you’re charged $4.99 for shipping.

Although you do get the product which Christie Brinkley has nothing to do with, by purchasing the free trial, you’ve inadvertently signed up to an expensive monthly subscription which can only be cancelled by cancelling the credit card used for the purchase. Within a month of paying for that product, another charge is made on your credit card. It is estimated that fraudsters have stolen more than $1.3 billion from unsuspecting users with this scam. 

In the UK, baby boomers were hit with scam ads on Facebook promoting CBD oil falsely endorsed by Fern Britton and David Attenborough. According to one victim, the ad promised a sample for £2.50, but £170 was later removed from her bank account.

Nonexistent products.

Fraudsters are setting up ads on Facebook without any intention of delivering those products to customers. Ads are hooking victims by offering these products at insanely low prices. And scammers are able to target users with many different types of scams based on their likes, interests, age, location and behavior. Furthermore, if you happen to click on one scam ad, you’re likely to see more of those ads because of the way the Facebook algorithm works. What you must always keep in mind is that if it sounds too good to be true, it is definitely too good to be true.

Cryptocurrency investment trading software scam.

The cryptocurrency scam is one of the most prolific internet scams that has ever appeared on the internet. The scam has appeared on Facebook, MSN News, Twitter, Instagram, and many search engines including Google and Yahoo!. Individual losses have been as high as £200,000, and it has impoverished people in several countries with many victims around the world losing their homes and assets.

How does the scam work?

There are countless variations of the scam, but generally, they all proceed in the same way. The scam begins with a potential investor searching for terms related to Bitcoin or cryptocurrencies. The budding investor is then presented with a fake news story in their newsfeed that features a well-respected, famous celebrity appearing to discuss a specific bitcoin investment scheme. Who you see in your feed will depend on where in the world you live. For example, users in France might see football sensation Kylian Mbappe, users in Australia might see actor Chris Hemsworth, and so on.

After clicking the advertisement, the unsuspecting user is automatically directed to a spoofed website that is built to resemble a well-known mainstream media publication. For example, if you are in the UK, you could be redirected to a fake Mirror news website using a stolen image of the celebrity that was featured in the fake story in your newsfeed. Other users may be directed to a fake BBC news page featuring different famous personalities appearing to endorse the bogus bitcoin investment scheme.

Entrepreneur Richard Branson featured on fake Mirror page
Martin Lewis fake endorsement crypto scam
Finance expert Martin Lewis featured on fake BBC page
Entrepreneur Lord Sugar featured on fake News Media

Using highy trusted websites and famous faces are designed to build trust in the product. The fake news stories all claim that the featured celebrity made an astronomical amount of money using a revolutionary automated cryptocurrency trading software which touts itself as “software which enables anyone to trade Bitcoin profitably.” In reality, the news stories are fabricated advertorials, the software doesn’t exist and there are no profits to be made.

If you choose to believe the hype, you’re asked to scroll down to sign up if you want to earn “life changing amounts of money”. Those sucked in by the well-known faces and promises of quick riches register for an offshore CFD (contract for difference) broker.

Shortly after signing up, you’re contacted by an “investment manager” who convinces you to get the ball rolling by purchasing £250 worth of bitcoin. Once you sign up, you’ll receive a link and login details by email to a bogus trading platform.

Over time, your bitcoin value will appear to soar, and the investment manager will keep contacting you to encourage you to buy more and more bitcoin. For example, if you invest £5,000 into the scheme, your investment will be valued at £50,000 on the platform. But once you decide to cash out, the investment manager will transfer some funds to your bank account which is often enough to reassure some people to continue investing rather than cashing out.

But when you do decide to cash out, the investment manager will submit a request for their 10% commission, which you’re required to pay into a bank account before you can cash out. Once that payment is made, you’ll never hear from the investment manager again.

In the UK, at least 108 people claimed they had lost just under £1.5 million in total to the scam.

Fake goods on spoofed websites

Counterfeit products are being peddled by fraudsters impersonating big high street names. What fraudsters will do is use website spoofing to create malicious online shopping sites that are replicas of legitimate and established retail websites. These spoofed websites will have the corporate logos, fonts and brand colours of the real sites. These malicious online shopping stores are hosted by legitimate e-commerce service providers like Shopify.

There are a lot of scammers that operate Shopify stores because the platform has a low barrier or entry, and it’s very easy to get a Shopify store up and running within hours. These scammers also make sure that the country that they’re based in is one with lax fraud prosecution laws. This makes Shopify a perfect platform for scammers.

What these fraudsters will then do is steal photos of branded images and retailers’ stock from legitimate websites and feature these products on their stores at knockoff prices, lower than you can find anywhere. They will then setup Facebook and Instagram ads using the stolen photographs and brand images. When you click on the link in the Facebook ad, you are redirected to one of these spoofed websites which looks exactly the same as the retailers.

How to identify a fake website

Cybercriminals are very good at what they do, so it can be difficult to identify a spoofed website. But the last thing you want to do is to enter your financial details into a fake website. This means you need to be super vigilant when shopping online. Here are a few things to look out for when identifying a fake website.

1. The domain name is fishy. This is often the best way to identify a spoofed website. Many of these websites even use HTTPS, so it can sometimes be difficult to tell that you’re on a scam website. But if you take a closer look, you’ll see that the domain name will always be off, 100% of the time. And even though these fake websites will sometimes use a domain name that references an established brand name, it will never be the actual brand name. For example, instead of www.asos.co.uk, you may be taken to something like www.asosdiscounts.com or something like www.discountbrandstore.com.

2. The offer is too good to be true. If it sounds too good to be true, it is probably a scam. Fraudsters target bargain hunters by advertising fake or counterfeit products at heavily discounted prices, using stolen photos or branded images.  

3. They use odd payment methods. If you buy something that doesn’t turn up or turns out to be counterfeit with a credit or debit card, you are entitled to get your money back. Fraudsters are well aware of this, so they will often ask for payment by bank transfer or some other methods. If you’re asked to pay via bank transfer, wire transfer or some other method, that should be a major red flag.

4. Take a closer look at different pages on the site. Look for contact information. If there is no contact information and all the site offers is a form to fill out, consider that a red flag. 

Facebook Marketplace

Facebook Marketplace is an online shop similar to sites like Gumtree and Craigslist. It allows users to flip old items they no longer need or buy second-hand goods in their local area.The platform has added Facebook Checkout which provides some degree of protection from scammers through Facebook Purchase Protection. Nevertheless, you should always have your guard up when doing business on Facebook Marketplace.

Here are potential scams to watch out for on Facebook Marketplace.

  • Counterfeit or fake products: a seller advertises genuine products at an incredibly low price, but when you receive the item, you discover the item is either fake or doesn’t work. If the seller is in your local area, try to inspect the item before you pay for it.
  • Criminals often use Facebook Marketplace to quickly get rid of stolen goods, especially things like bicycles, tablets, laptops and smartphones. Buying stolen goods can get you into a lot of trouble with the police if they’re traced back to you, so be cautious when buying.
  • If you will be using PayPal to pay for an item, never select friends and family payments. If you do, you’ll never be able to dispute a transaction if something goes wrong, and fraudsters are well aware of this. If a seller insists on that method of payment, consider it a major red flag.
  • If you’re selling anything, avoid using Venmo as a payment processor. The app forbids using the platform to receive funds for selling anything. It is also often used by scammers to buy items using stolen credit cards. Sellers have suffered huge losses with buyers using the app.

Before you do business with anyone on Facebook Marketplace, first of all make sure that the person has a full Facebook profile with history. If you see only a few pictures, very few or no friends or the profile was only recently created, consider that a major red flag. If you’re selling anything, be wary of anyone who insists on one form of payment.

How to avoid being scammed on Facebook

Facebook has been putting a lot of effort into tackling scams on the platform, and you can do your bit by report ingsuspicious activity directly to Facebook.

Facebook has also launched a scam fighting tool to combat scams on social media. In addition, Facebook has also donated £3m to fund Citizens Advice Scams Action, a new anti-scams project now providing one-on-one help to people who have been victims of scams.

But the scammers are still out there. Here are some things you can do to protect yourself.

  • Update your Facebook settings so that you are notified and have the ability to allow or disallow tagging of your profile by anyone.
  • Uninstall apps that ask for permission to access your Facebook credentials. These apps are often spyware.
  • Do not save login information on your smartphones or browsers.
  • Logging into your Facebook account over a public computer or shared computer can leave your account at risk.
  • Remove malicious Facebook applications.
  • Don’t forget to log out of your account whenever you use shared computers.
  • If you receive a message that looks suspicious, report it to Facebook by tapping the ‘Something’s Wrong’ button.
  • If your account wasn’t just compromised, but the hacker is actually sending out spams to your friends, report it to Facebook via Facebook.com/hacked.
  • If you received an email supposedly from Facebook that looks suspicious, forward it phish@fb.com.
  • Always keep in mind that Facebook will never send strange links or attachments in their emails. If you get any of these emails, report it.
  • If you’re being targeted by anyone on Facebook, you can block, report, ignore or delete their messages.
  • If you suspect that something is not right with a particular account, report it.
  • If you have received notifications from Facebook that you find suspicious, you can report them by clicking here.  
  • If you purchase a product that never arrives, you can report the seller. To do that, visit the seller’s profile, which can be found at the bottom of the product profile. Tap on the “Seller Info” section, and there you’ll find a “Report” button.

If you’ve been the victim of scam, you can report it to Action Fraud on 0300 123 2040 or use their online reporting tool.

Categories
CYBER SCAMS

The Most Common Apple ID Scams to Watch Out For

Reading Time: 7 minutes

Apple devices have a strong reputation for being highly secure and even resistant to most forms of malware. However, users of Apple platforms and devices can still be susceptible to online scams that target user trust to solicit sensitive data such as login credentials and personal information. Cyber scams involving Apple IDs are generally phishing attacks, and accounted for a third of all data breaches in 2019.

There are over one billion active Apple devices which require Apple IDs to access Apple services such as iCloud, iMessage, Apple Music, etc. Apple have repeatedly stated they will never ask for personal details by text or email. But the nature of some of these scams means there are times when you may be fooled into thinking that you’ve been sent some legitimate correspondence by Apple.

Why fraudsters want your Apple ID

Your Apple ID is valuable to fraudsters because it is what you use to access anything Apple-related and store a lot of valuable information. You use it to login to your all of your Apple devices. It includes your payment and shipping information, and it allows you to access your subscriptions, in-app purchases, etc. Your Apple ID is also used to access iCloud, where you can store private photos and other types of valuable files that can be used to target you if they fall into the wrong hands. This is why you need to guard your Apple ID with everything you’ve got.

Here are 7 of the most common and dangerous Apple scams to watch out for.

iCloud phishing scams

Cybercriminals behind Apple email phishing campaigns create authentic-looking invoices and email messages that can be very convincing if you’re not paying attention. You may receive messages purportedly from Apple support saying that your iCloud account has been locked for security reasons. The message often includes a live, malicious link that will take you to a bogus Apple login page, hoping you’ll be tricked into giving up your credentials on the fake page.

Some of these emails will include Apple’s support number and official address which can be a near carbon copy of an email you might actually receive from Apple. These emails have been successful in tricking many unsuspecting Apple customers into handing over sensitive data to fraudsters.

Here’s an example of a fake iCloud message:

If you have received a phishing email that is designed to look like it came from Apple, send it to reportphishing@apple.com.

Fake receipt or invoice scams

This type of scam is designed to fool the recipient into thinking that a 3rd party has misused their Apple ID to make a fraudulent purchase. The receipts or invoices used appear to be official Apple documentation, and if you’re not paying attention, they can fool you into thinking it came from Apple.

Here’s an example:

If you’ve received such a message, your first instinct would be to contact Apple to cancel the purchase. This is what the fraudster is banking on. And the fake invoice will conveniently have a link that you can quickly click to cancel the purchase. When you do click, it will bring you to a bogus Apple webpage that is designed to steal your personal information.

iMessage scams

With the exponential rise in smartphone users, you’re just as likely to receive a phishing message through iMessage. There are various variants of this scam. You might get a message that claims to come from Apple support saying your Apple ID has expired or is going to expire on the day you receive the message. You’ll be prompted to click on a link in the message to restore your account.

Other variations of the scam inform the recipient that their account is about to be deleted unless they click on the link included in the message. If you happen to click on the link, you’ll be taken to a fake webpage that mimics the legitimate Apple website. When messages are sent via iMessage, they often arrive from an undisclosed sender. Some of the text messages include an anonymised phone number with an overseas code. 

Here are Apple’s top tips that can help you spot phishing scams:

  1. The sender’s phone number or email doesn’t match the company name it claims to come from.
  2. Apple will NEVER ask you to provide personal details by text message or email.
  3. Your email address doesn’t match the one you gave the company.
  4. The message asks for sensitive information such as your credit card details, account password or personal information.
  5. The link in the email looks authentic, but takes you to a website with a URL that is different from the company’s website. 
  6. The message uses a generic message such as “Dear customer” rather than your real name. Legitimate companies will often address you by your real name. 
  7. The grammar and spelling is often poor, but this is not always the case.
  8. The message looks very different from other messages you’ve received from the company.
  9. The message is unexpected and includes an attachment.

Persistent pop-up ads in Safari

Pop-ups include random ads, offers or alerts that suddenly open in your current browser window or in a new window. There are many variations of this scam. Some will claim your Apple device has been infected with a virus. Others might provide a fake number for you to contact Apple support. They may also claim to offer software updates, plug-ins or free downloads to try to trick you into downloading malware onto your machine.

Be aware that some ads and pop-ups have fake buttons that resemble the close button, so you’ll need to be very careful when closing them. If you’re not sure how to close them, simply close the Safari window.

Here are some tips from Apple to help you manage pop-ups and other random interruptions.

·      Always ensure that you’ve installed the latest security updates for all of your Apple products. Many of the updates contained in the latest releases include enhancements that help to control pop-ups.

·      The App store is the safest place to download apps for your Mac. If you need 3rd party software for your computing device that is not available in the Apple App Store, get it directly from the developer or a trusted source, rather than through an ad or link.

·      Keep Safari’s security settings switched on, especially Block Pop-ups, for pop-up windows, and Fraudulent Website Warning.

To switch on these settings on your iPhone, iPad or iPod touch, go to Settings > Safari. On your Mac, you can find these options in Safari > Preferences. You can switch on fraudulent site warnings in the Security tab.

If you see persistent ads or pop-ups on your Mac, you may have inadvertently downloaded and installed adware when downloading apps or games on 3rd party sites. To get rid of adware from your Mac, update to the latest version of MacOS. This operating system includes a built-in tool that removes known malware when your Mac is rebooted.

Fake apps

Apple is extremely vigilant at keeping malicious apps out of the iOS App Store. However, hundreds of counterfeit apps masquerading as the real thing have been able to slip through the cracks. Some of these dangerous apps have ranked in the Top 100 of the official app store. In some cases, they have been downloaded more than 100,000 times. One example of this type of malware is a backdoor malware that masquerades as a legitimate software program. It performs the same functions as the real app, but also installs additional malicious software that can provide a backdoor into your Mac platform, allowing attackers access to your sensitive data.

Due to bugs in Apple’s app store algorithm, some of these apps can appear high in the search rankings, increasing the likelihood that they will be downloaded by some unsuspecting users. This is why it is so important to always be on your guard for apps with vague app titles and questionable reviews.

Ransomware

Ransomware is a type of malware attack where your computer is rendered inaccessible until you pay a ransom to get your files decrypted. Even though ransomware is mainly a concern for Windows computers, Macs have been affected by ransomware attacks, even though there hasn’t been a serious ransomware outbreak on the Mac or any Apple hardware.

Nevertheless, security experts maintain that Apple users are vulnerable to WannaCry-type attacks. To protect your Apple device from ransomware, consider installing the free RansomWhere? App. This app runs in the background and watches for any activity that resembles a ransomware attack, such as the rampant encrypting of files. It then halts the process and lets you know what’s happening.

Scam phone calls

An Apple phone scam begins with you getting a call from a fake support technician claiming to be calling on behalf of Apple. The scary thing is that some fraudsters may contact you using spoofed phone numbers. This means the number that is displayed on your phone would be a real Apple number, with Apple’s logo, official website, customer support number, and actual address. This way, everything looks authentic. But what is even more scary is that if you are an iPhone owner and you request a call back from Apple’s customer support, the bogus call will get indexed your phone’s “recent calls” list as a previous call from Apple Support line.

The reason fraudsters will give for the call is that your device has been infected with malware, and they’re calling to help you get rid of it. They will try to talk you into downloading remote access software, which will allow them to connect to your computer and be able to access everything on it. The plan is to download malware and take full control of your computer to steal all of your sensitive information.

How to deal with scam Apple phone calls

·      Apple support will never contact you out of the blue to fix anything. You would have to initiate the process with a request for support. If anyone calls you claiming to be from Apple, turn down whatever they are offering and hang up the phone.

·      Never provide personal information over the phone.

·      Never grant remote access to anyone over the phone unless you initiated the process yourself, and you are 100% sure that you are dealing with Apple support.

Categories
ANDROID SECURITY

Top 10 Dangerous Android Security Threats to Watch out for in 2021

Reading Time: 8 minutes

Smartphones have become an integral part of modern life and they play a massive role in our work and personal lives every day. The need to protect our phones is critical, given the sheer amount of sensitive data that we store on them. Many of us are now spending more time on our phones than our desktops or laptops.

With 2 billion+ monthly active devices, Android is the largest and most popular platform in the world. In fact, according to Statista, there were over 108 billion Play Store downloads in 2020. It should therefore be no surprise that Android devices have become the number one target for cyberattacks.

The good news is that Android is by its very nature a very secure operating system, with multiple layers of defense to protect itself from dangerous cyberattacks such as malware. But since 95% of cybersecurity breaches are caused by human errors, it is the smartphone owner that is the biggest threat to their phones’ security.

For example, according to a survey by Consumer Report, 34 percent of all smartphone owners do not bother at all with their device’s security. According to the study, this explains why so many people’s accounts get hacked when their devices get stolen.

With that being said, here’s a look at some of the biggest cybersecurity threats to Android smartphones in 2021.

  1. Social engineering
  2. Fake apps
  3. Official app store insecurities.
  4. Mobile malware
  5. Third party app stores
  6. Lack of security updates and patches for Android
  7. Fake antivirus for Android
  8. Poor password hygeine
  9. Unsecured Wi-Fi
  10. Billing Fraud

1. Social engineering.

This devious tactic is now just as prevalent on the mobile front as it is on desktops, and the modus operandi is the same: social engineers try to fool unsuspecting users into clicking on malicious links by impersonating family, friends or trusted organisations. And social engineering attacks on mobiles isn’t just an email thing. In fact, 83% of phishing attacks in 2020 took place in text messages or in apps like Facebook Messenger and WhatsApp along with a variety of popular gaming apps and social media services.

These platforms have all been used to launch sophisticated phishing attacks on mobile devices. Furthermore, mobile users have been found to be 3 times more vulnerable to phishing attacks than desktop users, presumably because the smaller screen size on smartphones make it a lot easier to spoof messages and trick users into thinking that a message was sent by someone they trust.

2. Fake apps.

Attackers may try to get into your smartphone using dangerous fake apps. Fake apps are Android or iOS apps that mimic the appearance and functionality of legitimate, popular programs that people already love to use. The aim is to con unsusecting users into installing these bogus applications. These apps tend to perform a series of malicious activities once they have been downloaded and installed. These include stealing money from your bank account, infecting devices with malware, collecting sensitive info or aggressively inundating your handset with ads.

Types of fake apps

There are three main types of fake apps:

1. Imposter apps

These are bogus apps that mimic the look appearance and behaviour of the original, legitimate apps. They often have the same user interface, description and because they cannot use the same name as the original, they use a name that is similar to the original. For example, “Update WhatsApp” was a fake app that looked like it was created by the company that created the original. It was so good that it fooled more than one million people into downloading it.

The problem of imposter apps is compounded by the fact that 50 percent of users often find it difficult to distinguish fake apps from the real thing.

2. Fleeceware

There are apps that appear to perform the function for which they were downloaded, and there is nothing overtly malicious in the code of these apps. The problem is that these apps come with hidden, excessive subscription fees. Furthermore, if you don’t know how to properly cancel the subscription, the app will keep charging you long after you have deleted it from your phone.

3. Ad malware

These types of app could be a simple game or provide a simple function, but they are designed to

These types of app could be a simple game or provide a simple function, but they are designed to generate ad income by constantly inundating users with ads to force them to view or click adverts.

Examples of the damage that fake apps can do include:

  • Harvesting your location data and contacts list.
  • Stealing your banking details
  • Subscribing your device to premium services.
  • Recording your conversations.
  • Changing the web browser’s homepage and search engine without your permission.

Some of the most popular malicious apps to avoid include:

  1. Snaptube
  2. GPS speedometer
  3. Free messages, Video, Chat, Text for Messenger Plus
  4. Easy Scanner
  5. Weather Forecast
  6. Super Calculator
  7. Who Unfriended Me
  8. VidMate
  9. Quicktocuh

Click here for more info on how to spot and avoid fake apps.

3. Official app store insecurities.

Some malicious apps have slipped through the cracks on both the Apple App Store and Google Play. So, even though you might have never downloaded apps from third party sites, you may still be at risk of falling for this scam. The official stores failed to identify several advanced cyberattack techniques and have been responsible for distributing malicious apps disguised as legitimate ones. For example, some fake camera apps on Google Play were able to amass between 500,000 and 1 million downloads in just a few days before they were detected and removed.

In many cases, these malicious apps are able to get past the rigorous checks of the official stores by submitting clean apps to start with, and then add malicious functionalities later on. Authors of the downloaded apps manufacture positive reviews to encourage downloads of the malicious apps.

Consider the following horrifying facts and figures as reported by Arxan Technologies:

  • 97% of top 100 paid Android apps and 87% of top 100 paid iOS apps have been hacked.
  • 80% of popular free Android apps have been hacked and 75% of the popular free iOS apps have been hacked.
  • Mobile financial apps are still at risk – 95% of the Android financial apps reviewed were “cracked” while 70% of the iOS financial apps were hacked.
  • 90% of retail/merchant Android apps and 35% of retail/merchant iOS apps have been compromised.
  • 90% of Android healthcare/medical apps have been hacked, 22% of which are FDA approved.

Normally, if you have downloaded an app that has been identified as malicious, you should get a notification from Google Play. But it’s important to realize that this doesn’t mean all of the apps you don’t get notified about are completely safe. Click here to check if you’ve downloaded any of these malicious apps.

4. Mobile malware.

Mobile malware is malicious software that attacks the operating system on mobile devices. Right now, there are far more threats to desktop than to mobile thanks to the security of mobile operating systems, but mobile malware is a growing concern for users.

Here are the most common types of mobile malware:

  • Adware. Adware is the most prevalent type of malware found on smartphones. According to Avast, it counts for 72% of all mobile malware. Adware gets onto smartphones by installation of a script or program without the user’s knowledge. Adware works by collecting data from your phone in order to inundate you with ads.  
  • Spyware. Spyware is designed to secretly monitor and record information about your activities and send that information to a third party.
  • Trojan. A Trojan on your smartphone typically appears as a text message. It is designed to send premium text messages that will increase your phone bill.
  • Mobile ransomware. Mobile ransomware encrypts data on your phone and demands money to decrypt that data.
  • Browser hijacker. This malware takes over your browser settings to promote malicious content from your phone.

A lot of malware doesn’t stay on your phone after a reboot, so make it a habit to reboot your phone on a regular basis.

5. Third party app stores.

The main problem with third party app stores is that they may not vet apps with the same level of scrutiny as apps on the Apple App Store or Google Play. This means that you cannot be 100% sure of the apps that you download from a third party store. But then, you can also unwittingly download malicious apps from either of the official app stores. In any case, tthe risks are definitely greater with third party app stores.

For example, you can get popular apps at a cheaper price on any one of these stores, but that deal can put the security of your data at risk if malicious code is injected into that popular app you might have bought through a third party store. Third party app stores could also share your data with other parties without your knowledge or permission. As a security measure, if you have a third party app that requests excessive permissions or access to data, remove them and search for an alternative because they are likely to be malicious.

6. Lack of security updates and patches for Android.

Security updates are vitally important to repair security holes or fix known software vulnerabilities. Software engineers release updates and patches once they have fixed known vulnerabilities. When new security updates are ready for Android, your phone will prompt you to install a new version of its firmware. However, if you have an older Android phone, you may be at greater risk because Google no longer issues security updates for version 6.0 of the Android operating system or below.

This can be a big problem because it means that if you are using an Android phone that was released in 2012 or earlier, flaws in the older version will remain open and potentially vulnerable to cybercriminals. This puts you at a greater danger of all kinds of cyberattacks including ad fraud, data theft and mobile malware.

To find out the Android OS of your phone, swipe down from the top of the screen and tap the settings icon

7. Fake antivirus for Android

According to a study by Austrian antivirus testing company AV-Comparatives which specializes in testing antivirus products, most of the Android AV apps on Google Play are ineffective against malware. In and of itself, Android is a pretty secure OS, so you probably don’t need to install AV apps like Norton or AVG on your phone, because these apps can actually be detrimental to your system’s performance. A robust cybersecurity strategy can be more effective for your smartphone than certain types of antivirus software.

8. Poor password hygiene

Not securing your phone properly with a strong password can be especially problematic and very dangerous. In this day and age, the need to secure our phones is more critical because of the sheer amount of sensitive data on these devices. Studies show that mobile banking is one of the top three most used apps by Brits. If your mobile is stolen or hacked, a poorly secured device will expose you to all types of cybercrime including identity theft, data theft and all types of cyberattacks.  

Click here for 15 ways to boost the security of your Android phone.

9. Unsecured Wi-Fi

Free and public Wi-Fi networks found in public places such as train stations, coffee shops, malls, restaurants and hotels, are a popular hunting ground for hackers. This is because most users constantly connect to these potentially insecure networks without taking any steps to secure their data. If you’re staying safe and secure when accessing public networks, you’re potentially leaving the door open to man-in-the-middle and other cyberattacks that might be lurking in the background of these networks

Here are a few tips to keep you safe on public Wi-Fi

  • Use a VPN to ensure that your public Wi-Fi connections are made private, especially when you are visiting websites that require you to login with a username and password.
  • Turn off file sharing before you logon to a public Wi-Fi network, because this can leave you vulnerable to hackers.
  • Always use secure websites when using public Wi-Fi. Note however that some sites that use HTTPS and SSL are actually setup by cybercriminals. For example, 58% of phishing websites now use HTTPS.

10. Billing fraud

Billing fraud (also known as toll fraud) is a fraudulent process where a malicious app on your smartphone silently subscribes you to a vast number of premium wireless application protocol (WAP) services. In some countries, an acknowledgement is required from the user before the charge is processed. To counter this, the malware will intercept the acknowledgement messages from the infected device. As a result, the scam is acknowledged by you and continues and can cost you hundreds of pounds per month. Unfortunately, you may not detect it until you receive a massive bill from your provider. Since your service provider already received an acknowledgement from your phone, you are likely to be found liable for the charges.

The most persistent form of this threat is joker malware (a.k.a. bread) which has been plaguing Android phones since 2017. Joker malware gets on your phone by attaching itself to legitimate apps in the Google Play store. It has been designed to be very hard to detect. It constantly evolves, making it tricky to detect on your phone. Once installed on your phone, it starts to spy on your activities, harvesting information and sending it back to cybercriminals. It can also steal text messages, contact lists and device information. The Google security team has removed 1,700 apps from Google Play that this malware attaches itself to, but it keeps on re-emerging.  

If you own an Android smartphone, go through your app list to see if you have any of the following apps installed on your phone.

  • All Good PDF Scanner
  • Mint Leaf Message-Your Private Message
  • Unique Keyboard – Fancy Fonts & Free Emoticons
  • Tangram App Lock
  • Direct Messenger
  • Push Message – Texting&SMS
  • Emoji Wallpaper
  • Fingertip GameBox
  • Private SMS
  • One Sentence Translator – Multifunctional Translator
  • Style Photo Collage
  • Meticulous Scanner
  • Desire Translate
  • Talent Photo Editor – Blur focus
  • Safety AppLock
  • Care Message
  • Part Message
  • Paper Doc Scanner
  • Blue Scanner
  • Hummingbird PDF Converter – Photo to PDF
  • All Good PDF Scanner

If you are using one of these apps, you must remove it from your phone immediately to avoid getting defrauded.